What happened to the Crosby Review?

William Heath asks “what happened to the Crosby review” in his “Ideal Government” blog (a must for those of you who want to keep abreast of the thinking among the e-government movers and shakers). However, while I always find William’s insights most perceptive and his blog most informative I think he is on the wrong tack. I think that Crosby has put issues into the wider perspective and the result is even more challenging, across the whole of Whitehall, not just Home Office, than William speculates. Hence some of the drafting of the Public Service Agreement to which I referred in my entry on delivering the Transformation of Government.

Ninety years ago, in 1917, when HMG was seeking to conscript the entire population, male and fenale, for war work, the Registrar General outlined ideas for a permanent system of population registration. Twelve years later, in 1929, his thinking had moved on and he proposed continuously updated local registers to accurately identify every individual to ensure they "fulfilled their obligations to the community", "secured their rights as citizens" and to provide better statistics.

The arguments over information sharing in the public sector have not moved on much since then:

To give the extremes on both sides.

Benefit recipients or patients can suffer or even die if their information is not available and shared when needed. But battered wives and children can similarly suffer or even be killed if their abuser gains access to their new identity - and we can all be at risk if our employers’ payroll file or similar files containing our personal details are stolen, sold or otherwise “leaked”.

Meanwhile the private sector has very much more experience with sharing high value information than has government.

Nearly a thousand years ago the Knights Templar combined courier, bodyguard and credit card in a seamless service from the Orkneys to Jerusalem. And they really did trade with the enemy. Their network inter-operated not only with those of the Lombards and the Venetians but with those of the Jewish and Islamic families operating from Baghdad to Mumbai.

And there are some very simple lessons from the private sectors’ thousand years of practical experience.

First - Trust is earned by those who accept responsibility. To be credible the routines for sharing must be built around clear liabilities for when things go wrong.

In the private sector it is – who do we sue?

In the public sector it is – who does the Minister blame when it appears in the Daily Mail?

And by “going wrong” – I include people dying or being killed because information was not shared or was because it was shared with the wrong person, not just because the file was lost, sold or sent by mistake to the wrong address.

The second lesson is that those with access to information must know with whom they are expected to share it - and who to consult when some-one outside that circle requests information. And that includes what to do if some-one claims it is an emergency and there is, supposedly, no time to consult …

At the technical level it is not difficult to embed such guidance in on-line information systems.

The problem comes with the slew of legislation, regulation and mythology that surrounds any given application – some it dating back to well before 1917.

Hence the need for clear guidance for those in the call-centre or on the help-desk.

Major financial services operations not only provide such guidance, they train all staff and contractors in their security processes and do not allow them to log on to the system until they have passed the test.

And those whose reputation is most risk from a leak of data, like Experian, vet ALL staff, and I do mean ALL, including the contractors and cleaners.

The need for clear penalties for abuse are obvious, but these must also be tailored to the realities of the public sector and apply to those who put the vulnerabilities there in the first place, not just those on the help-desk when the mistake was made – and they also need to apply to those who cause avoidable pain and suffering by failing to pass information to those to whom they should.

That leads me back to liabilities and responsibilities because unless these are clear and transparent, as with the private sector standards for information exchange developed by groups like Identrust and TWIST, the temptation to fudge the need to follow good practice at all levels, including at the top, is too great for any manager, let alone any politician to resist.

And if the Crosby report raises such issues. then little wonder that publication has been delayed pending progress with the wide ranging reviews of information assurance that have been launched since the review of the independent assessor was completed in July.

Tags:

No TrackBacks

6 Comments

The Cabinet Office paper on transformational government reads like a letter to Father Christmas, promising to be better in future but asking please, please, for lots of new computer systems now.

The transformational government initiative is a plaintive attempt to find a role for thousands of civil servants to interfere where they have no business and can be no use.

I do not think we need let considerations of that hopeless initiative detain us and I do not believe that Sir James Crosby will have let them detain him.

The private sector has more experience of identity management than the government but, don't forget, the government are quite prepared to buy that experience -- it is available to them. That can't be detaining Sir James either.

But given that the private sector do have the experience and the staff and the systems and the ideas and the applications and the incentive, what on earth is the point the government developing systems as well?

That is, identity management is happening anyway. All the government need to do is piggy-back. Take mobile phones as an example. The networks are up and running. Everyone's got a phone. The Telcos have all the data. All the government need to do is build a gateway to interrogate the Telco databases and then they can find out where everyone is and who they're talking to. They don't need to build a mobile phone network themselves. That's what I mean by "piggy-backing".

Identrust have got quite enough problems explaining how liability is or isn't transferred between counterparties for the government to take one look, I should have thought, and say no thank you. The government won't underwrite the National Identity Scheme (NIS) for several reasons. One good reason is that they are the public sector, not the private sector -- we would be compensating ourselves with our own money.

Given that the NIS will not be underwritten, what would the equity analysts make of it and what would their shareholders make of it if they saw the banks and the retailers relying on the NIS? I don't think they'd be very impressed. What are you doing relying on this callow NIS when you've got better systems in-house already, they might ask? Your job is to do banking/sell groceries, they may say, not provide fig leaves for the government's embarassing bits. Share prices go south, non-executive directorships dry up.

I think you put your finger on it when you point out that the private sector already do identity management. That is the main reason why Sir James must have a very short report to present with a rather disobliging conclusion.

There is one issue you don't mention -- biometrics. The biometrics chosen for the NIS are simply too unreliable to do the job. That guarantees that the NIS must fail, and transformational government, and eBorders. It is not Sir James's job to get the government off that hook -- it is politicians who keep braying about 100% certain identification.

Mr Heath is on the right tack.

And so are you. There are wider aspects to investigate. Our government is not alone in pursuing this will o' the wisp of biometrics-based identity management. So is every other government in the EU and so is the US. The first one to break ranks and point out that the emperor has no clothes is going to attract a lot of flak. They'll be heroes in the end, but it will be a bumpy ride for a while.

In the public sector it is – who does the Minister blame when it appears in the Daily Mail?"

And what happens when those two intersect e.g. when the private sector relies on the public sector authenticated identity to proceed with a transaction and it is subsequently found that the public sector got it wrong?

The Home Office have been on the pitch for 200 years or so now. It's not as though they lack match experience.

They've got a Permanent Secretary known as "the assassin", they've got directors of everything including strategy and a team all hand-picked for Rolls-Royce cerebellums.

It's been five years since the consultation document on entitlement cards, they've had plenty of time to think about it and in that time they've notched up a £50 million consultancy bill and head-hunted the managing partner of Accenture UK, a man who must know the whereabouts of more skeleton-filled closets than even Sir James Crosby.

And you're telling us that only now are the wider issues being considered and that it takes Sir James to do it. What have IPS been doing for five years?

You'd think they might be able to issue an invitation to tender by now, but no, all we've had is the prospectus for a framework of a strategy for supplies. Good on process. We're on version 2.2 of the prospectus. Version 2.3 promises to be a cracker. But no ITT.

Instead, IPS are going to talk to the same suppliers they've already been talking to for five years between now and next April presumably with a view to finding out from them what it is that they want.

What can Sir James, coming from the private sector, be expected to make of this? The bag no longer contains the cat, does it -- the National Identity Scheme has become the most expensive programme for the chronically incapable in the history of occupational therapy.

And what can the prospective suppliers be expected to make of it? There's a general election coming up. Two parties out of three have promised to tear up the contractors' contracts on day one. Accenture had to swallow an eight- or nine-figure loss on NPfIT and Metronet are in receivership -- the contractors can't expect any compensation. Would you fancy your chances against David Davis? With IPS as your patron to defend you?

And the police and the security services, the people who know what they're doing, must be looking on with their mouths positively akimbo.

I mean, can anyone remember what this fatuous scheme is supposed to be for? Crime prevention and detection? Counter-terrorism? Efficient public services? Is there anyone left on the planet who believes that those irreproachable objectives can be achieved by giving everyone a card and keeping a list?

"we would be compensating ourselves with our own money"... Yes, but more accurately: some of up would be being compensated with the money of most of us. As that's how taxation works, it would be a what William Heath beautifully termed an 'irrational derogation' if that were used as the argument for failing to underwrite the scheme.

"... some of u[s] would be being compensated with the money of most of us. As that's how taxation works ..."

As I understand it, the National Identity Scheme is supposed to be funded out of passport fees, which would explain why they have quadrupled from £18 in 1997 to £72 now. IPS may take Treasury loans in respect of the scheme but those need to be repaid with interest from future passport/ID card/biometric fees.

As such, although it looks like it and feels like it, this may not technically be taxation.

If any of the above is correct, then there may still be a legitimate question whether it makes sense to compensate ourselves in the case of a transaction going wrong because an IPS identity turns out to be false or misleading in some way.